Esc服务器后门如何自动处理,Linux服务器使用WebShellKiller后门自动化查杀教程

最新推荐文章于 2024-09-30 16:00:00 发布
最新推荐文章于 2024-09-30 16:00:00 发布
阅读量328 收藏
点赞数
文章标签: Esc服务器后门如何自动处理

Linux服务器使用WebShellKiller后门自动化查杀教程

世界和平 • 2019 年 11 月 22 日

Loading...

## 前言

如果服务器出现文件上传漏洞和命令执行类漏洞(包括命令注入、缓冲区溢出、反序列化等)都会让人担心,系统是否系统已被上传webshell甚至植入木马程序。

依靠人工排查,一是工作量大二是需要一定程度的技术知识和业务知识才能判断什么是正常什么是异常。

工作量大决定排查工作不可能由个别具有技术知识和业务知识的人来完成工作而需要其他人员参与,而如果这些没有“一定程度的技术知识和业务知识”的人员参与基本必然后导致大量的误报和漏报(主要是漏报)。

总而言之,在大量设备场景中人工排查后门是很难切实有效推行的排查手段。

所谓服务器后门,其本质其与桌面系统的病毒、木马并没有很大区别。

在桌面系统中我们可以轻松使用360点击查杀完成病毒木马的查杀,在服务器我们也可以使用类似工具完成后门的查杀。

至于漏报误报必然还是有的但会比人工排查少,至于效率则会高得多。

## WebShellKiller简介

WebShellKiller是深信服发布的一款webshell查杀工具,支持jsp、asp、aspx、php等脚本的检查。

[下载及更详细说明][1]

由于不是商用产品也不是开源产品,所以不能保证其后续是否持续维护更新,但基于以下两点就算不再更新该产品还是比较可靠的。

首先,从当前效果看使用[webshell][2]进行测试绝大部分都是能正确判断。

其次,身为webshell注定其最终必定要生成代码调用那些固定的危险函数,所以webshell的变形是有限制的,也就是所谓的“免杀”其实有比较高的门槛。

WebShellKiller支持windows和linux,我们这里只讲linux,windows直接解压双击运行没有什么操作性就不多讲了。

另外windows平台的webshell查杀还可以使用[d盾WebShellKill][3]

在线查杀可使用[百度webdir+][4]

## WebShellKiller安装使用

```````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````bash

# 下载WebShellKiller

wget http://edr.sangfor.com.cn/tool/WebShellKillerForLinux.tar.gz

# 解压到当前目录

tar -zxf WebShellKillerForLinux.tar.gz

# 查看解压结果,可以看到多出centos_32、centos_64、linux_64三个文件夹

# 如果是centos 32/redhat 32那就使用centos_32,如果是centos 64/redhat 64那就使用centos_64,如果是其他linux 64那就使用linux_64

ls

# 查看当前操作系统

cat /etc/system-release

# 查看当前操作系统是32位还是64位;x86是32位,x86_64或x64是64位;一般都是64位

uname -m

# 我这里是centos 64所以进入centos_64

cd centos_64/wscan_app/

# 查看当前目录文件,wscan是主程序

ls

# wscan默认没有可执行权限,需要加上

chmod u+x wscan

# wscan从LD_LIBRARY_PATH加载so文件,需要将当前路径加到LD_LIBRARY_PATH以使wscan能找到当前目录下的so

export LD_LIBRARY_PATH=`pwd`:$LD_LIBRARY_PATH

# 执行扫描,/www/wwwroot/app_805ds_com是我这里要扫描的路径,改成自己要扫描的即可

# 被列出的文件即是被认为可疑的文件,人工识别是否为web应用自己所用文件即可

./wscan -hrf /www/wwwroot/app_805ds_com

```````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````

## 操作截图

![操作截图](https://image.blogbig.cn/2019/11/23/1574509578.jpg)

[1]: https://www.blogbig.cn/go/TGaQoHjm/

[2]: https://www.blogbig.cn/go/X4vuR8Kh/

[3]: https://www.blogbig.cn/go/8fiPa9o0/

[4]: https://www.blogbig.cn/go/tevWg2EM/

[5]: https://image.blogbig.cn/2019/11/23/1574509578.jpg

weixin_39613561
关注
29-2 webshell 管理下
weixin_43263566的博客
03-21 496
然而,他自学掌握了多种计算机语言,包括C++、J2ME、PHP、JSP、ASP.NET等。其特点是使用加密WebShell来防止被发现,通过流量加密使得传统的WAF(Web应用防火墙)、Web IDS(网络入侵检测系统)设备难以检测。其核心功能包括Shell代理功能、Shell管理、文件管理、虚拟终端、数据库管理、插件市场和插件开发。冰蝎的特性使得它在一定程度上能够提高WebShell的隐蔽性和安全性,但同时也需要注意合法使用,并遵守相关法律法规。
【应急响应】Windows应急响应手册(准备阶段、挖矿病毒)
做自己喜欢的事,并将其发挥到极致!
07-16 1159
本篇文章主要以WIndows系统为例围绕红蓝对抗和攻防角度实施应急响应的技术手段,以多方面、多维度进行展开,对于常见的应急事件所采取的应对措施进行阐述,希望对从事网安工作的小伙伴们有所帮助!
WebshellKillerTool.zip(后门查杀软件
01-02
可用来查杀恶意后门,用于服务器安全和虚拟测试,但不能保证绝对性,
阿里云提醒 网站被WebShell木马后门处理过程
网站安全专家
01-10 6761
昨晚凌晨收到新客户的安全求助,说是阿里云短信提示,网站有webshell木马文件被植入,我们SINE安全公司立即成立,安全应急响应小组,客户提供了阿里云的账号密码,随即登陆阿里云进去查看到详情,登陆云盾看到有这样的一个安全提示“网站后门-发现后门(Webshell)文件”事件等级:紧急,影响资产:阿里云ECS:ID,然后贴出了网站木马文件的路径地址:/www/wangzhan/safe/indnx...
第3篇:常见的Webshell查杀工具----应急响应篇
最新发布
星河梦瑾的博客
09-30 840
Sangfor WebShellKill(网站后门检测工具)是一款web后门专杀工具,不仅支持webshell的扫描,同时还支持暗链的扫描。当然,目前市场上的很多主机安全产品也都提供这种WebShell检测能力,比如阿里云、青藤云、safedog等,本文暂不讨论。专注webshell查杀研究,拥有海量webshell样本和自主查杀技术,采用传统特征+云端大数据双引擎的查杀技术。当网站服务器被入侵时,我们需要一款Webshell检测工具,来帮助我们发现webshell,进一步排查系统可能存在的安全漏洞。
服务器发现后门文件,wordpress网站被挂马或发现后门Webshell文件攻击如何处理?...
weixin_33316599的博客
08-06 1290
wordpress在全球前一千万个网站中占有率30%,可想而知wordpress作为外贸网站建站还是企业网站建站都是非常不错的选择。但是wordpress网站被挂马或发现后门Webshell文件攻击我们如何处理?网站被挂马或被攻击的表现症状如下:一:网站出现跳转(有些pc不跳转,但是手机端跳转)二:网站打开速度奇慢,用开发者工具甚至出现一堆404三:网站能打开,但是部分或者全部页面被篡改四:网站页...
简单去 webshell 后门方法
Sud0day的博客
03-02 2582
简单去 webshell 后门方法 0x00 前言 因为我的电脑重装系统之后里面的文件都没有了,所以我近期经常会在网上收集工具,木马,并进行测试,但是令我惊讶的是,基本上在网上找到的马都有后门存在,想必各位都不想自己的劳动成果被别人拿走吧。所以我这篇文章就会教大家简单的去后门。 0X01 环境及工具 本次使用到的环境以及工具有: 某 QQ 群随便下的木马 宝塔面板自带文件编辑 nginx/1.14...
netkiller linux web,WebShellKiller安装使用
weixin_36240211的博客
05-15 568
WebShellKiller安装使用说明最近客户让对服务器上面的文件进行扫描,并提供了工具,特在此对该工具的安装及用法做个记录WebShellKiller简介WebShellKiller是深信服发布的一款webshell查杀工具,支持jsp、asp、aspx、php等脚本的检查。由于不是商用产品也不是开源产品,所以不能保证其后续是否持续维护更新,但基于以下两点就算不再更新该产品还是比较可靠的。其次...
做过免杀处理的2010版上兴远控
08-06
答:按Esc或重启客户端能解决 ------------------------------------------------------------------------------------------ 8、为什看到对方屏幕是白屏的? 答:1、系统处于锁定或未登陆桌面(多数是2000、...
ACA认证——实验
Y1234qq的博客
06-27 636
实验1:ECS之初体验 1. 远程登录到ECS服务器。请使用实验资源提供的ECS服务器的弹性IP,用户名和密码。 2.ECS云服务器已安装部署了WEB环境。执行以下命令,修改WEB服务器显示的页面信息。 # vim /alidata/www/default/index.html 3.请在键盘上输入 “i”,切换到编辑模式,修改<body>中的代码如下: <body> <h1>Welcome to use Al...
红队专题-Perm权限提升与维持隐匿Privilege Escalation
aming小老弟
10-27 1046
高权限不仅能对更多文件进行增删改查的操作,方便进一步收集主机系统中的敏感信息, system权限也可以提取内存中的密码Hash,为进一步的渗透提供更多信息。权限提升是从初始访问权限(通常是标准用户或应用程序帐户)一直提升到administrator, root甚至SYSTEM访问权限的艺术。常见技术或攻击手段来获得高权限帐户访问权限。用于检测和利用不同权限提升技术的手动方法,但会提到可以完成相同工作并节省您一些时间的自动化工具。 完美,它指向我们的有效负载。 使用net(也是默认安装的)启动此服务以获得
linux下的webshell查杀工具
04-03
一款好用的linux下的webshell查杀软件。linux下的webshell查杀工具很少,所以这里分享出来。用于发现服务器上的web后门 官方网站地址:https://www.shellpub.com
深信服WebshellKiller(免安装).zip
10-20
深信服WebshellKiller(免安装).zip分享给大家,请有需要的人学习下载,后续会更新各种网络安全工具,请关注
木马查杀工具(WebShellKillerTool)
08-11
内含工具,无需安装,解压即用,支持Windows XP、Windows 7、Windows 8.1、Windows 10
服务器可疑安全事件 警告:发现后门Webshell)文件网站后门 手动处理流程
06-30 6071
服务器出现了可疑安全事件:包含WEBSHELL代码的日志/图片文件 处理流程
linux查杀web后门webshell
it知识分享 free for nothing..
09-01 1289
linux查杀web后门webshell
使用WebShellKiller检查服务器后门文件
weixin_34075268的博客
03-04 1452
第一步:下载WebShellKiller wget http://edr.sangfor.com.cn/tool/WebShellKillerForLinux.tar.gz 第二步 :解压到当前文件夹 tar -zxf WebShellKillerForLinux.tar.gz 第三步:查看当前文件找到centos_? ls 第四步:查看当前操作系统 cat /etc/system-releas...
应急响应-linux-webshell查杀工具:河马webshell查杀和深信服Webshell
xianjie0318的博客
07-13 8295
一、河马webshell查杀:http://www.shellpub.com 解压hm-linux-amd64.tgz 扫描 二、深信服Webshell网站后门检测工具:https://edr.sangfor.com.cn/#/introduction/wehshell tar -zxvf WebShellKillerForLinux.tar.gz cd centos_64/wscan_app/ #配置类库路径 export LD_LIBRARY_PATH=/home/web/
应急响应 Windows和Linux操作系统(查杀 后门木马,处理 勒索病毒.)
锦鲤的博客
09-02 664
🌾🌾🌾应急响应”对应的英文是“Incident Response”或“Emergency Response”等
阿里云ESC上Docker+Jenkins自动化部署教程
本文主要介绍了如何在阿里云ESC环境中使用Docker和Jenkins进行自动化构建与部署的过程。首先,确保宿主机服务器上安装了Docker,并在安全规则中打开8080端口以支持Jenkins的访问。接下来,对于客户端(例如Mac)的...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值